Magazine

Forget Those Comfy Old Rules About Fraud

March 27, 2005

Way back when most banking transactions were conducted at a teller window or with a checkbook, the rules governing who was liable for losses from fraud were simple. Customers who had their checkbooks stolen weren't liable for the loss if a thief used them to write hot checks. Similarly, as credit cards took hold, consumers were legally on the hook for just the first $50 in unauthorized transactions.

But in the digital era -- where electronic purchases, payments, and fund transfers can move around the globe at the speed of light -- consumers are learning that the old rules don't always apply. Depending on how fraudsters gain access to your account or use your identity, banks may not always absorb the losses. Fraud victims who have wrangled with banks say this is particularly true with unauthorized debit-card transactions or mysterious electronic withdrawals from bank accounts.

Banks still absolve consumers of any losses from the fraudulent use of credit cards -- even months later. Most also now waive even that modest $50 payment. That's not the case for business cards, though. Federal laws that limit user liability apply only to consumers -- and most banks make corporate customers assume far more liability for cards issued to their employees. Their reasoning: Employees may not treat a business card with the same care as their own, since it isn't their money.

What's more, while many banks indemnify consumers from fraud involving debit-cards and electronic funds transfers, that's far from universal. Under federal law, banks can hold consumers liable for the first $50 of losses from cases reported within two days, and up to $500 in losses going back 60 days. And consumers who wait more than two months after receiving a statement to report fraud may be out of luck. Banks are under no obligation to reimburse them.

That was the experience of John S. Watson, a NASA engineer in Santa Clara, Calif., who discovered in early 2003 that $7,600 had been transferred the previous fall from his Bank of America account to an Internet-based payment service. BofA refused to reimburse Watson, saying his claim was outside the 60-day window. So Watson took the bank and the payment service to small-claims court, where a judge ordered both to make him whole. "I had always thought that 'money in the bank' meant your money was safe," Watson now says. BofA declined comment.

While many banks say they reimburse customers for any unauthorized transfers or withdrawals from their checking accounts, that isn't always the case -- particularly for businesses. Consider Joe Lopez, who with his wife owns a computer-parts distributorship in Miami. Last April, Lopez says he discovered a mysterious $90,348 wire transfer from his Bank of America account to a bank in Latvia from earlier that morning. Lopez immediately notified BofA, which in turn alerted the U.S. Secret Service. When the feds examined Lopez' PC, they discovered it had been infected with a Trojan virus called CoreFlood that helped hackers get his password.

Lopez says when he asked BofA for help, the bank refused -- arguing that Lopez was at fault for not using antivirus software robust enough to detect the Trojan. In February, Lopez sued the bank. "I'm not afraid to go up against BofA," he says. For its part, a BofA spokeswoman says, "[we intend] to vigorously defend ourselves." Lopez' experience is a cautionary tale about the importance of antivirus software. And it also serves as a reminder that in cyberspace, it's every man for himself.